Computing Center

  1. Home
  2. Electronics & Gadgets
  3. Computing Center

Hunt Down Those Hackers and...Ignore Them?

Scott Spanbauer

I use Zone Labs' ZoneAlarm firewall freeware on my PC. Occasionally ZoneAlarm sends a message saying it blocked a remote computer from accessing my PC. It then lists an IP address and a TCP port, followed by four digits. Is there a way to find out to whom the IP address refers?

Jack Lozano, Tigard, Oregon

Sometimes it's worthwhile to track down miscreants who probe your computer from afar, but most of these "attacks" are benign. Running firewall software such as Network ICE's BlackICE Defender, ZoneAlarm, or Symantec's Norton Internet Security is almost always sufficient protection--although it's not as safe as disconnecting your computer from the Internet and switching off the power.

I'm not joking. If you want to ensure that crackers--Internet break-in artists--can't probe your PC's ports, you have to either physically disconnect the phone or network line running into the PC, or shut off the computer's power. (You also have to make sure that the computer's Wake-on-LAN BIOS setting, if any, is disabled.)

There's nothing illegal about people scanning your computer's ports, and not every scan is evidence of a cracker at work. Many of the most common port scans are routine checks for server software that doesn't even exist on most Windows computers. For example, your ISP may routinely scan your system to make sure you're not running servers that are disallowed under the company's terms of service.

Other scans may be completely innocent as well, like the cable-modem user next door trying to install remote-control software such as PCAnywhere, or a scan by another computer on your local network. It could even be coming from your own system. This figure shows BlackICE's list of port scan source addresses.

The domain names or IP addresses your firewall displays as the source of the remote scan may also be forged (or spoofed, in network parlance). Though you can report the probe to the administrator of the domain listed, it's very possible that the scan originated elsewhere. It could also be that the source address listed is genuine, but the machine doing the scanning has been taken over by a Trojan horse program implanted by a cracker.

In most cases, your PC is just one of thousands of machines the person at the remote address (spoofed or not) is scanning using an automated tool. The scanner is rarely looking for a PC running Windows, because such systems aren't that interesting to crackers. They're more interested in exploiting buggy server software to download a vulnerable trove of passwords or steal credit card numbers.

If you run Windows versions of server software for the FTP, POP3 (the most common e-mail server), IMAP4 (another e-mail server type), NNTP (network news transport protocol), RPC (remote procedure call), or other protocols, you have to guard against hack attacks. Turn off your computer and read Administering Web Servers, Security & Maintenance by Eric Larson and Brian Stephens (Prentice Hall PTR, 2000, $42), which is one of several good books on Internet server security. In fact, you can get a lot out of the book even if you don't run those server types.

If you are the target of prolonged attacks against TCP or other services running on your computer, notify the administrator of the offending domain. You can read more about TCP port probes on Network ICE's Web site. You could also try sending a brief e-mail to abuse@ domain or security@ domain, where domain is the domain name used by the attacker. For example, if you get repeated TCP probes from a computer identified as crackerbox.crackerdomain.com, you might want to send out a quick heads-up to abuse@crackerdomain.com. Even if the source address turns out to be spoofed, the administrator at crackerdomain.com will likely want to know that someone is using the domain without authorization.

De-Brand, Re-Brand Internet Explorer

Tired of having your browser window running an animated logo of an ISP you bailed out of last year? Wish your browser's title bar didn't reveal that you are--gasp!--an AOL user? It's easy to return Internet Explorer to its native, nonbranded state. All you do is choose Start, Run, type rundll32.exe iedkcs32.dll,Clear in the Open field, and press Enter.

But how about creating your own personal browser branding? Doing so entails editing the Registry, so be sure to make a Registry backup beforehand. For instructions on backing up the Registry, see the May 2000 Answer Line, " Protect Yourself Against Catastrophic Installs."

Once you have your Registry backed up, select Start, Run, type regedit in the Open field, and press Enter to launch the Registry editor. Press Ctrl-F, type BrandBitmap in the 'Find what' field, and press Enter. The search should land on the key HKEY_CURRENT_USER\Software\Microsoft\ Internet Explorer\Toolbar\BrandBitmap.

Double-click the key in the pane on the right to open the Edit String dialog box. Edit the path in the Value Data field so that it points to the bitmap image of your choice. Click OK, and repeat the steps for the SmBrandBitmap and BackBitmap keys. If the keys don't exist, you'll need to create them by navigating to the HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar key, right-clicking in the right-hand pane, and choosing New, String Value.

Create a 38-by-22-pixel, 11-frame animated.bmp file for the BrandBitmap key; a 22-by-22-pixel, 31-frame image for the SmBrandBitmap key; and any small, low-contrast image for the BackBitmap key. To customize Internet Explorer's window title text, navigate to or create the key HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Window Title, double-click it, and retitle as you wish.

Say Good-Bye (Really) to Disconnect Dialogs

In January's " Say Good-Bye to Disconnect Dialogs," I advised Matt Zentgraf on how to disable a dialog box that nagged him to close his Internet connection. The tip worked great for Matt, but other readers wrote to report that unchecking the 'Disconnect when connection may no longer be needed' setting didn't stop the irritating box from popping up whenever they closed Internet Explorer.

A little digging revealed a Microsoft Knowledge Base article that describes a conflict in Windows 98 and 98 SE between the IE 5. x setting and the Encompass Internet account registration software. Encompass comes preinstalled on many Compaq, Dell, HP, Toshiba, and other computers, and it is used by AT&T WorldNet and other ISPs. You have to disable the software, which loads at start-up from a command deep in the Windows Registry. Be forewarned, however, that your network connection may depend on Encompass, so disabling it could block you from dialing in at all.

To prevent Encompass from loading at start-up, select Start, Programs, Accessories, System Tools, System Information, and choose Tools, System Configuration Utility. Alternatively, you could click Start, Run and type msconfig in the Run box to bring up the same window. Then click the Startup tab and uncheck Encompass_ENCOMNTR in the list of items in your start-up menu. Click OK and reboot your system

You'll find more thorough removal instructions at Dell's Web site.

Download of the Month: A Music Player That Beats the Band

Microsoft's Windows Media Player 7 may receive the plaudits as the most improved media player around, but if you're concerned mainly with playing and managing MP3 files, check out Nullsoft's Winamp, a relative old-timer.

Like Netscape, Nullsoft's parent company is America Online, but Winamp's developers have still managed to create one of the most powerful, compact, configurable, and cool players around. The most recent version, 2.72, weighs in at a mere 2.2MB. A lite version, which forgoes the music-driven graphics module and support for the WMA and M-Juice audio formats, is a slim 481KB. Both let you choose from among thousands of interface "skins," and both offer over 100 plug-ins for audio effects and music visualization. To try a new skin, just click its download link in the Winamp site, and boom! It's installed and running.

My favorite Winamp-related feature is Shoutcast, a streaming MP3 portal that makes me feel like I'm finally getting my money's worth from my cable-modem connection. All of these Winamp versions are available for free from our Downloads library, as well as from the Winamp Web site.

Synchronize Those Bookmarks

Now you can combine your Netscape Navigator Bookmarks and Internet Explorer Favorites. The free BookmarkSync service automatically synchronizes your bookmarks and favorites--even those you store on a Macintosh or Palm PC. You can edit your single, synchronized list online and also share your lists and files with friends. Download the 365KB client from our Downloads library or from the BookmarkSync Web site and install it on each computer whose bookmarks you want to get a handle on.

Send your questions and tips to nettips@spanbauer.com. We pay $50 for published items. Scott Spanbauer is a contributing editor for PC World.

Explore Computing Center

About.com Special Features

Essential Laptop Accessories

If you're traveling with your laptop, these 12 items are indispensible. More >

How to Buy a BlackBerry

Sleek and trim or loaded with extras? Select the right smartphone for your lifestyle. More >

Browse All About.com

Computing Center

  1. Home
  2. Electronics & Gadgets
  3. Computing Center
  4. Security
  5. Data Protection
  6. Privacy & Security
  7. Hunt Down Those Hackers and...Ignore Them?

©2009 About.com, a part of The New York Times Company.

All rights reserved.